AT&T do it right
In an article at the Wall Street Journal about the iPad ICCID breach, AT&T CEO Randall Stephenson said that they will give a new SIM card to anyone who asks. This is absolutely the right thing to do – kudos is due to both Mr Stephenson and to AT&T for their response here. Thankyou – you just gained a fan.
Here’s the thing. When Adobe or Microsoft or Mozilla or any other software company suffers a security problem, the solution to it is a patch. It may take a while to develop and test that patch, and it may require immense bandwidth to deliver that patch, but the cost to deploy that patch is essentially the same no matter how many people were affected. Develop the patch once and it doesn’t matter whether you deliver it to a hundred people or a million people – the cost is essentially the same.
Compare that to the breach of SIM card information, as was the case with AT&T. A SIM card is hardware – it’s an actual thing, with real tangible costs associated with that. Once AT&T figured out how they were going to “patch” (or in this case, how to allow their subscribers to change their IMSIs – no trivial matter) there’s then a non-zero cost per user. A ball-park guess would be $5 for the SIM itself (the physical chip plus the cost of provisioning it in the backend), plus another $5 to cover packaging materials, postage costs, and the inevitable tech-support calls when things don’t go right at the consumers end. $10 per SIM multiplied by 114000 users and you’re at $1.1M to “patch” this vulnerability – I’d wager that’s more expensive than any patch developed by any software company, ever (although fairly small compared to security breaches).
Did AT&T bring this on themselves by associating the ICCID and IMSI like this in the first place? Yes they did, but then so does every other US cellular operator (although it’s apparently rare in Europe) – AT&T were just unlucky enough to get caught out first. They also did this probably 20 years ago or more, and it might even have been a reasonable decision at the time – I really can’t fault them for designing their network this way, although I would argue that it’s long past time to fix it.
The important point here is that AT&T have set a precedent: if your IMSI is compromised by an attacker, you’re entitled to a new SIM card. Fortunately for AT&T (this time) the SIM card is easy to replace on an iPad, but there’s many other devices that aren’t so easy. iPhones are the obvious first mention, but what about all the embedded systems that use GSM for backhaul? Burglar alarm panels, ebook readers, point-of-sale systems – many of these have deliberately inaccessible SIM cards. If these IMSIs were compromised it could require a service engineer to dismantle each device in person to replace the SIM cards, costing hundreds of dollars per subscriber. That gets expensive really quickly.
So again, thank you AT&T and thank you Mr Randall Stephenson. You’ve set an important precedent here, one that will likely end up costing someone a very large sum of money after the next hardware breach. That said, it’s the right thing for the industry and it’s the right thing for your consumers. Good on you.
Leave a Reply
You must be logged in to post a comment.